If no application layer protocol type is specified, the command restores the session aging timers for all the application layer protocols to the defaults.

Examples

# Set the aging timer for FTP sessions to 1800 seconds.

<Sysname> system-view

[Sysname] application aging-time ftp 1800

display application aging-time

Use display application aging-time to display the session aging timers for the application layer protocols.

Syntax

display application aging-time [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

You can use this command to display the default session aging timers for the application layer protocols before these session aging timers are adjusted.

Examples

# Display the current session aging timers for the application layer protocols.

<Sysname> display application aging-time

Protocol Aging-time(s)

ftp 3600

dns 60

sip 300

msn 3600

qq 60

Table 1 Command output

Field	Description
Protocol	Application layer protocol.
Aging-time(s)	Session aging timer in seconds.

Related commands

application aging-time

Field	Description
Protocol	Protocol status.
Aging-time(s)	Session aging time in seconds.

display session relation-table

Use display session relation-table to display relationship table entries.

Syntax

display session relation-table [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Displays all relationship table entries.

<Sysname> display session relation-table

Local IP/Port Global IP/Port MatchMode

192.168.1.22/99 10.153.2.22/99 Local

APP:QQ Pro:UDP TTL:2000s AllowConn:10

Local IP/Port Global IP/Port MatchMode

192.168.1.100/99 10.153.2.100/99 Local

APP:FTP Pro:TCP TTL:2000s AllowConn:10

Total find: 2

Table 3 Command output

Field	Description
Local IP/Port	IP address/port number of the inside network.
Global IP/Port	IP address/ port number of the outside network.
MatchMode	Match mode from session table to relationship table: · Local—The source IP address/source port of a new session are matched against Local IP/Port in the relation table. · Global—The destination IP address and destination port of a new session are matched against Global IP/Port in the relation table. · Either—The IP/port of a new session are matched against Local IP/Port or Global IP/Port in the relation table.
App	Application layer protocol, FTP, MSN, or QQ.
Pro	Transport layer protocol, TCP or UDP.
TTL	Remaining lifetime of the relationship table entry, in seconds.
AllowConn	Number of sessions allowed by the relationship table entry.
Total find	Total number of found relationship table entries.

display session statistics

Use display session statistics to display statistics for the sessions.

Syntax

display session statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If no keyword is specified, the command displays statistics for all sessions.

Examples

# Display statistics for all sessions.

<Sysname> display session statistics

Current session(s):593951

Current TCP session(s): 0

Half-Open: 0 Half-Close: 0

Current UDP session(s): 593951

Current ICMP session(s): 0

Current RAWIP session(s): 0

Current relation table(s): 50000

Session establishment rate: 184503/s

TCP Session establishment rate: 0/s

UDP Session establishment rate: 184503/s

ICMP Session establishment rate: 0/s

RAWIP Session establishment rate: 0/s

Received TCP: 1538 packet(s) 337567 byte(s)

Received UDP: 86810494849 packet(s) 4340524910260 byte(s)

Received ICMP: 307232 packet(s) 17206268 byte(s)

Received RAWIP: 0 packet(s) 0 byte(s)

Dropped TCP: 0 packet(s) 0 byte(s)

Dropped UDP: 0 packet(s) 0 byte(s)

Dropped ICMP: 0 packet(s) 0 byte(s)

Dropped RAWIP: 0 packet(s) 0 byte(s)

Table 4 Command output

Field	Description
Current session(s)	Total number of sessions.
Current TCP session(s)	Number of TCP sessions.
Half-Open	Number of TCP sessions in the half-open state.
Half-Close	Number of TCP sessions in the half-close state.
Current UDP session(s)	Number of UDP sessions.
Current ICMP session(s)	Number of ICMP sessions.
Current RAWIP session(s)	Number of Raw IP sessions.
Current relation table(s)	Total number of relationship table entries.
Session establishment rate	Session establishment rate.
TCP Session establishment rate	Establishment rate of TCP sessions.
UDP Session establishment rate	Establishment rate of UDP sessions.
ICMP Session establishment rate	Establishment rate of ICMP sessions .
RAWIP Session establishment rate	Establishment rate of Raw IP sessions.
Received TCP	Counts of received TCP packets and bytes.
Received UDP	Counts of received UDP packets and bytes.
Received ICMP	Counts of received ICMP packets and bytes.
Received RAWIP	Counts of received Raw IP packets and bytes.
Dropped TCP	Counts of dropped TCP packets and bytes.
Dropped UDP	Counts of dropped UDP packets and bytes.
Dropped ICMP	Counts of dropped ICMP packets and bytes.
Dropped RAWIP	Counts of dropped Raw IP packets and bytes.

display session table

Use display session table to display information about session table entries.

Syntax

display session table [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ count | verbose ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

source-ip source-ip: Displays the session table entries with the specified source IP address.

destination-ip destination-ip: Displays session table entries with the specified destination IP address.

protocol-type { icmp | raw-ip | tcp | udp }: Display the session table entries for the specified protocol, including ICMP, RawIP, TCP, and UDP.

source-port source-port: Displays the session table entries with the specified source port. The source-port argument is in the range of 0 to 65535.

destination-port destination-port: Displays the session table entries with the specified destination port. The destination-port argument is in the range of 0 to 65535.

verbose: Displays detailed information about session table entries. Without this keyword, the command displays brief information about the specified session table entries.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If no argument is specified, the command displays all session table entries.

If multiple keywords like source-ip, destination-ip, protocol-type, source-port, and destination-port are specified, the command displays the session table entries that match all these criteria.

Examples

# Display brief information about all session table entries.

<Sysname> display session table

Initiator:

Source IP/Port : 192.168.1.18/2048

Dest IP/Port : 192.168.1.55/768

Pro : ICMP(ICMP(1))

VPN-Instance/VLAN ID/VLL ID:

Initiator:

Source IP/Port : 192.168.1.18/1212

Dest IP/Port : 192.168.1.55/23

Pro : TCP(TCP(6))

VPN-Instance/VLAN ID/VLL ID:

Total find: 2

# Display detailed information about all session table entries.

<Sysname> display session table verbose

Initiator:

Source IP/Port : 192.168.1.19/137

Dest IP/Port : 192.168.1.255/137

VPN-Instance/VLAN ID/VLL ID:

Responder:

Source IP/Port : 192.168.1.255/137

Dest IP/Port : 192.168.1.19/137

VPN-Instance/VLAN ID/VLL ID:

Pro: UDP(17) App: NBT-name State: UDP-OPEN

Start time: 2014-03-17 10:39:43 TTL: 2s

Received packet(s)(Init): 6 packet(s) 468 byte(s)

Received packet(s)(Reply): 0 packet(s) 0 byte(s)

Initiator:

Source IP/Port : 192.168.1.18/1212

Dest IP/Port : 192.168.1.55/23

VPN-Instance/VLAN ID/VLL ID:

Responder:

Source IP/Port : 192.168.1.55/23

Dest IP/Port : 192.168.1.18/1212

VPN-Instance/VLAN ID/VLL ID:

Pro: TCP(6) App: TELNET State: TCP-EST

Start time: 2014-03-17 09:30:33 TTL: 3600s

Received packet(s)(Init): 1173 packet(s) 47458 byte(s)

Received packet(s)(Reply): 1168 packet(s) 61845 byte(s)

Total find: 2

# Display the number of session table entries with the source IP address of 1.1.1.1.

<Sysname> display session table source-ip 1.1.1.1 count

Matching session count: 100

Table 5 Command output

Field	Description
Initiator:	Initiator's session information.
Responder:	Responder's session information.
Pro	Transport layer protocol, TCP, UDP, ICMP, or Raw IP.
VPN-Instance/VLAN ID/VLL ID	VPN instance to which the session belongs. This field is reserved for future support. VLAN and INLINE that the session belongs to during Layer 2 forwarding.
App	Application layer protocol, FTP, DNS, MSN or QQ. Unknown indicates protocol type of a non-well-known port.
State	Session status. Possible values are: · Accelerate. · SYN. · TCP-EST. · FIN. · UDP-OPEN. · UDP-READY. · ICMP-OPEN. · ICMP-CLOSED. · RAWIP-OPEN. · RAWIP-READY.
Start Time	Session establishment time.
TTL	Remaining lifetime of the session, in seconds.
Received packet(s)(Init)	Counts of packets and bytes from the initiator to the responder.
Received packet(s)(Reply)	Counts of packets and bytes from the responder to the initiator.
Total find	Total number of found sessions.

reset session

Use reset session to clear session table entries.

Syntax

reset session [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ]

Views

User view

Default command level

2: System level

Parameters

source-ip source-ip: Clears the session table entries with the specified source IP address of the initiator.

destination-ip destination-ip: Clears the session table entries with the specified destination IP address of the initiator.

protocol-type { icmp | raw-ip | tcp | udp }: Clears the session table entries of the specified protocol type. The protocol types include ICMP, Raw IP, TCP, and UDP.

source-port source-port: Clears the session table entries with the specified source port of the initiator.

destination-port destination-port: Clears the session table entries with the specified destination port of the initiator.

Usage guidelines

If no parameter is specified, the command clears all session table entries.

Examples

# Clear all session table entries.

<Sysname> reset session

# Clear all sessions with the source IP address as 10.10.10.10 of the initiator.

<Sysname> reset session source-ip 10.10.10.10

reset session statistics

Use reset session statistics to clear session statistics.

Syntax

reset session statistics

Views

User view

Default command level

2: System level

Examples

# Clear all session statistics.

<Sysname> reset session statistics

session aging-time

Use session aging-time to set the aging timer for sessions of a specified protocol that are in a specified state.

Use undo session aging-time to restore the default. If no keyword is specified, the command restores the session aging timers for all protocol states to the defaults.

Syntax

session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

Default

The default values are as follows:

· ACCELERATE state: 10 seconds.

· TCP FIN_WAIT state: 30 seconds.

· ICMP CLOSED state: 30 seconds.

· ICMP OPEN state: 60 seconds.

· RAWIP_OPEN state: 30 seconds.

· RAWIP_READY state: 60 seconds.

· TCP SYN_SENT and SYN_RCV state: 30 seconds.

· TCP ESTABLISHED state: 3600 seconds.

· UDP OPEN state: 30 seconds.

· UDP READY state: 60 seconds.

Views

System view

Default command level

2: System level

Parameters

accelerate: Specifies the aging timer for the sessions in the accelerate queue.

fin: Specifies the aging timer for the TCP sessions in the FIN_WAIT state.

icmp-closed: Specifies the aging timer for the ICMP sessions in the CLOSED state.

icmp-open: Specifies the aging timer for the ICMP sessions in the OPEN state.

rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state.

rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state.

syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state.

tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state.

udp-open: Specifies the aging timer for the UDP sessions in the OPEN state.

udp-ready: Specifies the aging timer for the UDP sessions in the READY state.

time-value: Aging timer in seconds. The value range is 5 to 100000 seconds.

Usage guidelines

To display the session aging timers in different protocol states, use the display session aging-time command.

Examples

# Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds.

<Sysname> system-view

[Sysname] session aging-time syn 60

session checksum

Use session checksum to enable checksum verification for protocol packets.

Use undo session checksum to disable checksum verification.

Syntax

session checksum { all | { icmp | tcp | udp } * }

undo session checksum { all | { icmp | tcp | udp } * }

Default

Checksum verification is disabled.

Views

System view

Default command level

2: System level

Parameters

all: Enables checksum verification for TCP, UDP, and ICMP packets.

icmp: Enables checksum verification for ICMP packets.

tcp: Enables checksum verification for TCP packets.

udp: Enables checksum verification for UDP packets.

Examples

# Enable checksum verification for UDP packets.

<Sysname> system-view

[Sysname] session checksum udp

session log bytes-active

Use session log bytes-active to set the byte-based threshold for traffic-based logging.

Use undo session log bytes-active to restore the default.

Syntax

session log bytes-active bytes-value

undo session log bytes-active

Default

The device does not output session logs.

Views

System view

Default command level

2: System level

Parameters

bytes-value: Sets the byte-based threshold in the range of 1 to 1000 MB.

Examples

# Configure the device to output session logs on a per-10-MB basis.

<Sysname> system-view

[Sysname] session log byte-active 10

session log enable (interface view)

Use session log enable to enable session logging.

Use undo session log enable to disable session logging.

Syntax

session log enable [ acl acl-number ] { inbound | outbound }

undo session log enable [ acl acl-number ] { inbound | outbound }

Default

Session logging is disabled.

Views

Interface view

Default command level

2: System level

Parameters

acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

Usage guidelines

If you do not specify an ACL, this command enables session logging for all sessions on the interface.

If neither inbound nor outbound keyword is specified, you enable session logging on both directions.

In each direction, you can use only one ACL for session logging. If you execute the command by using multiple ACLs in one direction, the most recent configuration takes effect.

Examples

# Enable session logging on interface VLAN-interface 1 for all sessions in the inbound direction.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] session log enable inbound

# Enable session logging on interface VLAN-interface 2 for sessions that match ACL 2050 in the outbound direction.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] session log enable acl 2050 outbound

session log packets-active

Use session log packets-active to set the packet-based threshold for traffic-based logging.

Use undo session log packets-active to restore the default.

Syntax

session log packets-active packets-value

undo session log packets-active

Default

The device does not output session logs.

Views

System view

Default command level

2: System level

Parameters

packets-value: Sets the packet-based threshold in the range of 1 to 1000 mega-packets.

Examples

# Configure the device to output session logs on a per-10-mega-packet basis.

<Sysname> system-view

[Sysname] session log packets-active 10

session log time-active

Use session log time-active to set the time-based session logging.

Use undo session log time-active to restore the default.

Syntax

session log time-active time-value

undo session log time-active

Default

The device does not output session logs.

Views

System view

Default command level

2: System level

Parameters

time-value: Sets the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10.

Examples

# Configure the device to output session logs at 50-minute intervals.

<Sysname> system

[Sysname] session log time-active 50

session mode hybrid

Use session mode hybrid to set the hybrid mode for session management. In this mode, session management can process both bidirectional sessions and unidirectional sessions.

Use undo session mode to set the bidirectional mode for session management.

Syntax

session mode hybrid

undo session mode

Default

The session management feature operates in bidirectional mode, and it can process only bidirectional sessions.

Views

System view

Default command level

2: System level

Usage guidelines

In a bidirectional session, all packets in any direction pass the device.

In a unidirectional session, only the packets in one direction pass the device, and the packets in the opposite direction do not pass the device.

Examples

# Set the hybrid mode for session management.

<Sysname> system-view

[Sysname] session mode unidirection

session persist acl

Use session persist acl to specify persistent sessions. Sessions that match the permit statements in the specified ACL are persistent sessions.

Use undo session persist to remove the configuration.

Syntax

session persist acl acl-number [ aging-time time-value ]

undo session persist

Default

No persistent session rule is specified.

Views

System view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

aging-time time-value: Sets the aging time for persistent sessions, in hours. The value range is 0 to 360 and defaults to 24. To disable the aging for persistent sessions, set the value to 0.

Usage guidelines

Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary.

A persistent session rule can reference only one ACL.

Examples

# Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.

<Sysname> system-view

[Sysname] session persist acl 2000 aging-time 72

Related commands

reset session

07-Security Command Reference

session log enable (interface view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us